On 20/07/2012 7:47 a.m., Rick Chisholm wrote:
> I have an NTLM auth proxy, but a number of apps do not seem to be smart
> enough to pass credentials and this generates numerous squid
> authentication pop-ups for users. I'm trying to eliminate this.
NTLM is inefficient and now deprecated as well. A bunch of those apps
you will find happy to use Negotiate/Kerberos authentication, any
Windows 7 and Vista client software will be in that group. Upgrade to
Kerberos is recommended.
Anyways...
>
> I was thinking of creating a browser ACL with entries the will cover the
> browsers in use on the network and then try to use a NOT operator like
>
> http_access allow !known_browsers
>
> before the auth required setting.
>
> thoughts?
That particular logic is a bit tricky and allows users through the proxy
without auth if you make any mistakes in the browser regex pattern (or
they fake their UA string).
I would pick a whitelist style of known-ok agents to send the auth
challenge to.
http_access allow known_browsers authAcl
That way any mistakes will result in visible auth popups, not a silent
allow.
Amos
Received on Thu Jul 19 2012 - 23:22:26 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 20 2012 - 12:00:01 MDT